Critical Java zero-day bug is being “massively exploited in the wild” (Updated)

Your fully patched installation of Java isn't safe.

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.

So glad I removed Java from all my home browsers last time there was an exploit (and no, I haven't missed it in the slightest). Guess I have to disable it on the work PC though (still needed for a few pesky internal apps).

So are we going to have another controversy here on Ars when it comes to advice on how to mitigate this, or after Java in the wild exploit #485494727 can we finally agree that having Java enabled in your browser is a really bad idea?

(And yes, for non-savvy users the easiest way to protect themselves is to not have Java on the system at all.)

So are we going to have another controversy here on Ars when it comes to advice on how to mitigate this, or after Java in the wild exploit #485494727 can we finally agree that having Java enabled in your browser is a really bad idea?

(And yes, for non-savvy users the easiest way to protect themselves is to not have Java on the system at all.)

Probably. But the readers of Ars are quite savvy, so I would prefer if the recommendation to uninstall Java altogether could just be skipped. It's just misguided, and misleading. Disable the browser plugin, period.

Are there any browsers that allow the java plugin to work only on whitelisted sites? To me this would seem to be the only safe way to allow java to be installed in an office environment at this point..

Are there any browsers that allow the java plugin to work only on whitelisted sites? To me this would seem to be the only safe way to allow java to be installed in an office environment at this point..

Chrome supports blocking all plugins by default, requiring you to click on the ones you want to run specifically. It doesn't allow per-plugin settings (specific to Java), but it does allow whitelisting sites for all plugins.

Is it just me, or has this become a monthly occurance since Oracle bought Sun? I'm not being snarky, I'm actually curious. Java's not frequently on my radar, but I feel like there was a time when it was generally highly regarded on a security front, and now it seems like a joke, so I'm wondering if something in particular happened: Oracle engineering, or Sun just giving up, or maybe it's finally become a popular platform to try and exploit thanks to the widespread use of Android, or...

This whole web apps thing is going to hell in a teacup, I kid you not.

Yes. But it oversimplifies. And ignores past problems.

Web apps can mean many technologies. But I'll divide them into two: those that do / don't use plug ins. (eg, Flash, Java, ActiveX, etc)

Web apps replace installed apps on the workstation. Letting users (in a business environment) install software themselves hasn't proven to be a good or cost effective idea. Many support calls are related to the technology rather than the application.

Web apps are a huge advance. Zero maintenance (like apps that auto update themselves). But also Zero install -- all you need is a browser. Not a lot of technology things to go wrong that are the application's fault. So the vast majority of support issues are now focused on the application.

The real problem is that whatever you use, people will come up with a way to compromise and misuse it. The real problem is people. Bad people. You want to get your task accomplished. They want to steal or at the very least harass. Technology isn't the problem per se. It's a technology arms race. So some technologies are better than others, but not perfect.

The real problem is that we need to get more serious as a society about spending resources to go after the criminals. Otherwise crime flourishes.

Does this affect OpenJDK? Because if not, then I'm pretty dang safe, considering that I don't run Oracle's JVM for performance reasons.

Are you saying OpenJDK has better performance than Oracle's? I would be surprised if that were true.

The real safety issue, no matter what JDK or JRE you use is: does your browser have the Java plug in? If so, then I think you're not completely safe.

Actually, yes, it does. Oracle's JRE is one of the most horribly-designed pieces of software ever since their acquisition of Sun. OpenJDK - the default on most Linux distributions - runs quite a bit faster in my experience, though it'll occasionally choke on some apps that absolutely require Oracle's JRE to run.

This whole web apps thing is going to hell in a teacup, I kid you not.

Yes. But it oversimplifies. And ignores past problems.

Web apps can mean many technologies. But I'll divide them into two: those that do / don't use plug ins. (eg, Flash, Java, ActiveX, etc)

Web apps replace installed apps on the workstation. Letting users (in a business environment) install software themselves hasn't proven to be a good or cost effective idea. Many support calls are related to the technology rather than the application.

Web apps are a huge advance. Zero maintenance (like apps that auto update themselves). But also Zero install -- all you need is a browser. Not a lot of technology things to go wrong that are the application's fault. So the vast majority of support issues are now focused on the application.

The real problem is that whatever you use, people will come up with a way to compromise and misuse it. The real problem is people. Bad people. You want to get your task accomplished. They want to steal or at the very least harass. Technology isn't the problem per se. It's a technology arms race. So some technologies are better than others, but not perfect.

The real problem is that we need to get more serious as a society about spending resources to go after the criminals. Otherwise crime flourishes.

Yes, yes, there are vulnerabilities to every paradigm, but this half-assed web client / server thing we have going on seems to combine every vulnerability of client AND server. Not to mention the enterprise headaches associated with browser AND OS compatability with your web app.

Firefox + NoScript is safe from this. Just like last time, and the time before, etc...

Not much different than me running with active-x filtering enabled, which allows you to only let active-x plug-ins run on whitelisted sites in IE, though noscript is more fine grained. Problem with white-listing, is that the user has to make a decision, and if a site tells a user 'disable java blocking to see furry bunny' they will probably do so. Also a legit white-listed site can always be hacked to serve malware. Solution #1 is to not install java period (which is what I do), solution #2 is to sandbox the browser, which chrome and IE do, with IE10 having the most secure sandbox (when run in Enhanced Protected Mode) I understand. FF does not sandbox at all, though there are 3rd party hacks, which is why I don't use or recommend it.

(And yes, for non-savvy users the easiest way to protect themselves is to not have Java on the system at all.)

Okay so I guess I fall into the "non-savvy users" camp on this one:

I currently have Libre Office on my Mac, and it obviously requires Java on the system. Am I putting myself at risk?

I don't know Macs, really. On Windows in that situation you'd want to disable the Java plugin in your browser, which protects against this kind of attack. You then just have to make sure a Java update doesn't turn that plugin back on, which it's been known to do.

That's why its easier to just remove it if you don't need it for something.

Are there any browsers that allow the java plugin to work only on whitelisted sites? To me this would seem to be the only safe way to allow java to be installed in an office environment at this point..

Does this affect OpenJDK? Because if not, then I'm pretty dang safe, considering that I don't run Oracle's JVM for performance reasons.

Are you saying OpenJDK has better performance than Oracle's? I would be surprised if that were true.

The real safety issue, no matter what JDK or JRE you use is: does your browser have the Java plug in? If so, then I think you're not completely safe.

Actually, yes, it does. Oracle's JRE is one of the most horribly-designed pieces of software ever since their acquisition of Sun. OpenJDK - the default on most Linux distributions - runs quite a bit faster in my experience, though it'll occasionally choke on some apps that absolutely require Oracle's JRE to run.

Nobody tell the open source zealot that Oracle JRE is based on the OpenJDK. Let him be happy

I uninstalled Java plugin a long time ago. I think Apple did the right thing by not including it in Safari anymore. Its time to say bye to Java, Flash, and even Silverlight. Even PDF helpers too. I had a expliot tied to a PDF document the other day. Its not the borwsers that are to blame its the web sites who fail to move on to better things. I was watching a CBS news segment and behind the reporter was montiors with XP screen saver going. That's the whole problem. Getting these businesses to buck up and move on already.

(And yes, for non-savvy users the easiest way to protect themselves is to not have Java on the system at all.)

Okay so I guess I fall into the "non-savvy users" camp on this one:

I currently have Libre Office on my Mac, and it obviously requires Java on the system. Am I putting myself at risk?

You should be fine as long as it is disabled in your browser(s)

Well not really - GRUMPY2's "macs don't get viruses" style argument doesn't hold up -- depends on if he's accessing the Internet for any reason through Libre Office. Or if the software does it. This is akin to MS Office Macros being exploitable.

If the exploits hit a server that Libre Office access for anything the stuff mentioned int he article could propogate into Libre Office if it relies heavily on it. There is not a different Java for browsers vs desktop software - that is the magic of Java - it's universal - write once install and use everywhere.

Lots of non-browser software these days try to poke stuff online all the time and if Libre uses JAVA or is JAVA-based) then you might want to research any vulnerabilities. Satrt with Libre's main Site for warnings - announcements etc. Good luck.